<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>This is working, and here's the explanation...</p>
<p>I built a virus scanning ruleset as you described. This result
happened, which is normal. Messages are always virus scanned as a
batch. Even though the virus is found, it is not counted against
the message and the message is sent anyway and marked as clean in
MailWatch. In fact, in this case Google sees the EICAR test and
rejects the message.<br>
</p>
<p>Jan 12 22:30:43 smtp MailScanner[226819]: Virus and Content
Scanning: Starting<br>
Jan 12 22:30:43 smtp MailScanner[226819]:
Clamd::INFECTED::{HEX}EICAR.TEST.3.UNOFFICIAL ::
./4DFtJ14q8Fz7g2sY/<br>
Jan 12 22:30:43 smtp MailScanner[226819]: Clamd::INFECTED::
{HEX}EICAR.TEST.3.UNOFFICIAL ::
./4DFtJ14q8Fz7g2sY/msg-226819-3.txt<br>
Jan 12 22:30:43 smtp MailScanner[226819]: Virus Scanning: Clamd
found 2 infections<br>
Jan 12 22:30:43 smtp MailScanner[226819]: Virus Scanning: Found 2
viruses<br>
Jan 12 22:30:43 smtp MailScanner[226819]: Spam Checks: Starting<br>
Jan 12 22:30:43 smtp MailScanner[226819]: Requeue:
4DFtJ14q8Fz7g2sY to 4DFtJ34gZPz0c34<br>
Jan 12 22:30:43 smtp postfix/qmqpd[226995]: connect from
localhost[127.0.0.1]<br>
Jan 12 22:30:43 smtp postfix/qmqpd[226995]: 4DFtJ34h5tz7g2sY:
client=localhost[127.0.0.1]<br>
Jan 12 22:30:43 smtp opendmarc[6361]: ignoring connection from
localhost<br>
Jan 12 22:30:43 smtp postfix/cleanup[226982]: 4DFtJ34h5tz7g2sY:
message-id=<a class="moz-txt-link-rfc2396E" href="mailto:09fca5f0-f6d3-be52-55e0-97ba9bfa67a3@summitgrid.com"><09fca5f0-f6d3-be52-55e0-97ba9bfa67a3@summitgrid.com></a><br>
Jan 12 22:30:43 smtp opendkim[6362]: 4DFtJ34h5tz7g2sY:
DKIM-Signature field added (s=default, d=summitgrid.com)<br>
Jan 12 22:30:43 smtp postfix/qmgr[2173]: 4DFtJ34h5tz7g2sY:
from=<a class="moz-txt-link-rfc2396E" href="mailto:shawniverson@summitgrid.com"><shawniverson@summitgrid.com></a>, size=2427, nrcpt=1
(queue active)<br>
Jan 12 22:30:43 smtp postfix/qmqpd[226995]: disconnect from
localhost[127.0.0.1]<br>
Jan 12 22:30:43 smtp MailScanner[226819]: Uninfected: Delivered 1
messages<br>
Jan 12 22:30:43 smtp MailScanner[226819]: Deleted 1 messages from
processing-database<br>
Jan 12 22:30:43 smtp MailScanner[226819]: MailWatch: Logging
message 4DFtJ14q8Fz7g2sY to SQL<br>
Jan 12 22:30:44 smtp postfix/smtp[226998]: 4DFtJ34h5tz7g2sY:
to=<a class="moz-txt-link-rfc2396E" href="mailto:shawniverson@gmail.com"><shawniverson@gmail.com></a>,
relay=gmail-smtp-in.l.google.com[172.253.119.26]:25, delay=0.92,
delays=0.06/0/0.43/0.44, dsn=5.7.0, status=bounced (host
gmail-smtp-in.l.google.com[172.253.119.26] said: 552-5.7.0 This
message was blocked because its content presents a potential
552-5.7.0 security issue. Please visit 552-5.7.0
<a class="moz-txt-link-freetext" href="https://support.google.com/mail/?p=BlockedMessage">https://support.google.com/mail/?p=BlockedMessage</a> to review our
552 5.7.0 message content and attachment content guidelines.
x13si356045iov.16 - gsmtp (in reply to end of DATA command))<br>
</p>
<p>When I remove the ruleset and scan everything, this happens. You
can see it still finds the infection, but this time the message is
marked as infected and the message is not sent.<br>
</p>
<p>Jan 12 22:34:40 smtp MailScanner[227999]: New Batch: Scanning 1
messages, 2015 bytes<br>
Jan 12 22:34:40 smtp MailScanner[227999]: Virus and Content
Scanning: Starting<br>
Jan 12 22:34:40 smtp MailScanner[227999]:
Clamd::INFECTED::{HEX}EICAR.TEST.3.UNOFFICIAL ::
./4DFtNZ31Mwz7g2sY/<br>
Jan 12 22:34:40 smtp MailScanner[227999]: Clamd::INFECTED::
{HEX}EICAR.TEST.3.UNOFFICIAL ::
./4DFtNZ31Mwz7g2sY/msg-227999-1.txt<br>
Jan 12 22:34:40 smtp MailScanner[227999]: Virus Scanning: Clamd
found 2 infections<br>
Jan 12 22:34:40 smtp MailScanner[227999]: Infected message
4DFtNZ31Mwz7g2sY came from 198.100.154.215<br>
Jan 12 22:34:40 smtp MailScanner[227999]: Virus Scanning: Found 2
viruses<br>
Jan 12 22:34:40 smtp MailScanner[227999]: Viruses marked as
silent: Clamd: message was infected:
{HEX}EICAR.TEST.3.UNOFFICIAL, Clamd: msg-227999-1.txt was
infected: {HEX}EICAR.TEST.3.UNOFFICIAL<br>
Jan 12 22:34:40 smtp MailScanner[227999]: Saved entire message to
/var/spool/MailScanner/quarantine/20210112/4DFtNZ31Mwz7g2sY<br>
Jan 12 22:34:40 smtp MailScanner[227999]: Saved infected
"msg-227999-1.txt" to
/var/spool/MailScanner/quarantine/20210112/4DFtNZ31Mwz7g2sY<br>
<br>
</p>
<div class="moz-cite-prefix">On 1/12/21 12:15 PM, Shawn Iverson via
MailScanner wrote:<br>
</div>
<blockquote type="cite"
cite="mid:4f0d7fe0-bc28-c9a3-4e41-1496708f4cd9@summitgrid.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>I'll run a test this evening on my instance and see if there is
something up with the codebase...<br>
</p>
<div class="moz-cite-prefix">On 1/12/21 4:59 AM, Nicola Piazzi via
MailScanner wrote:<br>
</div>
<blockquote type="cite"
cite="mid:06850f18d3e143af8fc771ec34729a4c@gruppocomet.it">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"Preformattato HTML Carattere";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.jlqj4b
{mso-style-name:jlqj4b;}
span.PreformattatoHTMLCarattere
{mso-style-name:"Preformattato HTML Carattere";
mso-style-priority:99;
mso-style-link:"Preformattato HTML";
font-family:Consolas;
color:black;}
span.StileMessaggioDiPostaElettronica22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 2.0cm 2.0cm 2.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Valentin, I tried everything but is the
same<span
style="color:windowtext;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:windowtext;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><b><span
style="font-size:12.0pt;color:windowtext">Nicola
Piazzi</span></b><span style="color:windowtext"><br>
Sistemi Informativi<br>
<img style="width:1.3645in;height:.6145in"
id="Immagine_x0020_1"
src="cid:part1.6374268B.5F671824@summitgrid.com"
alt="Nuova immagine bitmap" class="" width="131"
height="59"><br>
COMET s.p.a.<br>
Via Michelino, 105 - 40127 Bologna – Italia<br>
Tel. +39 051.6079.293<br>
Cell. +39 347.5027273<br>
<a href="http://www.comet.it" moz-do-not-send="true">www.comet.it</a><br>
<a href="http://www.gruppocomet.it"
moz-do-not-send="true">www.gruppocomet.it</a><br>
<br>
<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="color:windowtext;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="color:windowtext">Da:</span></b><span
style="color:windowtext"> MailScanner
<a class="moz-txt-link-rfc2396E"
href="mailto:mailscanner-bounces+nicola.piazzi=gruppocomet.it@lists.mailscanner.info"
moz-do-not-send="true"><mailscanner-bounces+nicola.piazzi=gruppocomet.it@lists.mailscanner.info></a><b>Per
conto di </b>Valentin Laskov<br>
<b>Inviato:</b> martedì 12 gennaio 2021 10:26<br>
<b>A:</b> <a class="moz-txt-link-abbreviated"
href="mailto:mailscanner@lists.mailscanner.info"
moz-do-not-send="true">mailscanner@lists.mailscanner.info</a><br>
<b>Oggetto:</b> Re: Deep test virus scan rule that
doesnt work<br>
<b>Priorità:</b> Bassa<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">На 12.01.2021 в 10:54, Nicola Piazzi
via MailScanner написа:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">FromOrTo: Default No<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span class="jlqj4b"><span lang="EN">Are
the fields separated by Tab ?</span></span> Or space ?<br>
<br>
Must be tab separated.<br>
<br>
Regards!<br>
Valentin<br>
<br>
<o:p></o:p></p>
<pre>-- <o:p></o:p></pre>
<pre>Поздрави!<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Валентин Ласков<o:p></o:p></pre>
<pre>Системен администратор<o:p></o:p></pre>
<pre>"Феста Холдинг" АД<o:p></o:p></pre>
<pre>бул. "Вл. Варненчик" 48<o:p></o:p></pre>
<pre>9000 гр. Варна<o:p></o:p></pre>
<pre>тел.: +359 52 669137<o:p></o:p></pre>
<pre>GSM: +359 888 669137<o:p></o:p></pre>
<pre>Fax: +359 52 669110<o:p></o:p></pre>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">
</pre>
</blockquote>
</body>
</html>